there are a number of things we could do on an international scale that we do here in the united states like as we started exchanging hostages and different agencies, but we could work more closely, and we could also have, try to institute a better way of international investigations, not just communications of interpoll, but europol has gone a long way in international investigations within the european community, so -- >> other comments, tom? >> if i could add one more thing to that relating to sequesteration. headquarters and discussions on the hill over the last six months has been the tremendous expense of having the fbi in 76 offices overseas, including, i had agents assigned at europol,

interpol, u.n. headquarters in new york. among discussions was either to eliminate or cut by 50% the fbi's international offices. again, another act of absolute stupidity. i want to go to the hill and argue anybody who raises the issue to tell them how stupid it is, why we need the relationships, why we need representations, and how every day it affects u.s. and health of the u.s. national security. an example of that, a particular u.s. senator i will not name, landed once in a foreign country, greeted by the fbi agent there, and his remark was, well, i guess the fbi's sun never sets on the fbi. the agent was polite and everything, but he could have said, the sun never sets on u.s. interests either, pal. [laughter] thank you. [applause]

>> we have a lot of agreements and initiatives that i had to talk about the americas with the americans. i'm concerned about how demanding that it's been used to help been misused, and who -- a lot of money has been lost, and more concerning to me is to see that a lot of people that we have trained to combat organized crime, they, themselves, have become the supporters, the promoters of organized crime. when that is in the united states, they knew the how and

who to communicate. i'm very concerned, and i think we are wasting a lot of money, and we need to pay attention as to how the money is invested. >> thank you very much. the floor is now open for questions, and if you could please state your name and question and if you would like to address it to a particular member, please do that. yes, sir, right here. >> this is for all panelists. i'm with the transportation security administration. over the past several years, a number of u.s. jurisdictions have established fusion centers which are intended in part, at least, to put law enforcement and intelligence analysts together. could you comment on the effectiveness of this approach

so far and give us some idea what kind of institutions gnarlly and internationally could be built on that foundation going forward. >> well, the fbi has two types of fusion centers, and dhs has yet another one. they have, basically, different tuckses. the fbi has the joint terrorism task forces. before 9/11, i believe there were 4 # in existence, and today, there's 103. they have been a tremendous success story. building on that, the fbi has built a field intelligence groups, and -- which are more oriented, and the best of the understanding, i've been away from the fbi for a whim now, but it's been equally successful.

the home land security fusion centers have a different focus, and i'm probably going to do dhs a disservice here, but what they basically do is they work more with the politicians, the mayors and the governors to help them understand what the problems are in their area so that they can take the actions on their own. could that be done on an international scale? problem that you have is basically the problem, the failure from 1648, and hears that everybody is sovereign and incorporated in the article, article two of paragraph four of the united nations charter, territorial integrity and political independence of every country is sang, and if tom, an fbi agent, goes to great britain, can't take his gun with

him. that's app act of sovereignty there. that's the sort of thing you have to get passed. it was not until thatcher and reagan allowed the secret service to be armed when the president went there. that's a sort of problem that you look at. could it be overcome? it can, if a country wants to sacrifice sovereignty as hungary did at one point, and there are other instances of that. the italians and spanish can search ships on the high seas without asking permission. some of this can be done, but it's really quite difficult if you want to preserve the idea of sovereignty as it is incorporated in the united nations charter. >> if i could add, having been in charge of trying to set up fusion centers at state and local level as special agent in charge of indiana, one of the dill idifficulties is, for dug, there's no trouble

convincing new york city police there's a terrorist threat here, they might attack here, really. if you're in other parts of the country, the police there and governors and mayors say, you know, we're worry about mexican drug trafficking organizations and drugs brought into our junior high schools or our high schools. we don't think there's a major terrorist attack from a middle east based terrorist organization in the territory. why should we, in their view, wait, police officers, on a fusion center to address federal or national security issues, and the fusion center, in turn, is not going to address what we really care about at the state and local level. that's part of the difference with local fugs centers opposed to jttfs, that the local jurisdictions out in the rest of the country just may not think it's a wise use of their resources to devote investigators and analysts to the national programs or fusion center programs if it's not

going to also address their local issues too. >> next question, sir, over here. >> thank you, i want to pursue a question i started yesterday and directed to mr. puetes, the remark of keeping the eye on the ball and not swinging the pendulum in response to crisis, pursuing routine criminal investigations and criminal activity is not only an important task in its own right, but leads to greater discovery with respect to international crime and international terrorism. the question to you is, do you think that the fbi's morphing into and intelligence agency focused on ct and issues related to it? in fact, encouraged the -- encouraged taking the eye off the ball? >> to an extent, yes, it

somewhat has. it should be noted even after 9/11, 50% of the first fbi agents work the cases, and counterterrorism and national security related investigations have increased as a percentage, but not completely. criminal investigations are still ongoing, but the thresholds to work the perceived white collar crimes are not, and in terms of initiatives or new programs, when you're on the hill trying to justify something, again, it's much of the focus is going to be counterterrorism as opposed to other benefits that come. a quick story, in 2002 in beijing at the time i lobbied for the opening, and we worked organized crime together with the chinese, intellectual property was worked, human trafficking was worked together, and when i lobbied for that office, the questions i would get from the hill was why -- there's no counterterrorism

there, no jihad organization or south american drug cartel, none of the organized crime in china that we worry about from the middle east. i said, well, you know, we still need this for a variety of other u.s. interests. two years later after we open in 2004, a human trafficker at the mexican border walks into fbi loredo office age says, i have just trafficked four chinese terrorists across the u.s. border, and this was a democratic convention in boston. they are on the way to boston to commit a terrorist act. wow. you know, this gets defather and mother nateed, and be on the lookout, stand on the bridges, airports, train stations, you know, lock down boston because the four terrorists en route that we know of. there's 30 police officers from

beijing from the province they were from. we had the identities because the traffickers had their documents. forty-eight hours later, the government comes back and says, they are not terrorists. they were just your typical pes cant trafficked by the snake heads to the west, and these four people coming out of the rice patties and in that province wouldn't know confu confucious from bin laden. within 48 hours, it was eliminated. the thousands of man hours that would have been wasted had it not been for them giving us that information, they probably would be standing on the bridges. maybe they could have prevented the bombing by being there looking for the terrorists, but that was a tremendous day, and in my view, the costs of opening that office and putting two fbi agents and some other analysts in beijing paid for itself in savings to u.s. taxpayers

because resolving the issue of terrorism when there was no intent or knowledge that that office would be a key player in the war on terrorism. next question, here. >> john dunkin, texas a&m school of law. we talk about the mafia in the u.s., but what about gangs overseas, not only cooperation with other gang, but also the national security impacts on us, and because i say, you know, a lot of the new millionaires will be in china and russia, and that's where the money is going. >> anybody want to take on that one >> >> well, yes, organized

crime today is just national. it's not just one-way street. it goes both ways. we have our own gangs, the baker gangs, and i have to add are gangs, and so, yes, we had that threat also to other countries, and it is a vicious circle because it comes and it goes, it comes and it goes. as you well know, they just go to mexico, trafficking weapons, drugs, and the circle goes back and forth, back and forth. to the point that some of them say that they with caught because they will be deported allowing them just to have a

free trip back home and just come back again. yes, we have that problem. >> okay, thoughts on that? if not, opening it up to another question here. yes, lady over here. >> i'm dennis with the law firm, and my remark is addressed to commissioner maynard. i'd like your personal opinion, not that of the department, as to whether stop and frisk will be sustained, and if it is, what action the mayor will take? >> well, i'm not sure it's appropriate for my personal opinion or that i understand the question to be candid. there was a major ruling yesterday, i don't know if that's what you're referring to. i can't predict what the mayor will do if he wins and when he takes office if he does win.

i personally, my personal opinion, have hopes that upon, if he wins election, upon realizing that he is responsible for the management of the city as he will realize that it's in everybody's interest, including his own, to be able to manage the police department on his own without the interference of a federal judge. i don't know if that addresses the question. stop and frisk is a pregnant topic. people use it, i think, with very different understandings of what they are referring to. i think we all know it is a standard traditional law enforcement practice, like that in new york city like every other department in the country. we believe it's done properly. i don't think that will change. >> okay, another question. there was a lady here, yes. >> hello, katherine from the treasury department. first of all, thank you for your courage and your dedication.

it's much appreciated. i had a quick comment and a question. the comment is, really, the agreement only covers terrorism, not organized crime, but luckily, not for treasury, but for other people, on the same day the european parliament voted to suspend the recommendation, votedded to recommendation suspension of the agreement, they also passed a piece of legislation recognizing asset freezing and expansion of resources into organized crime networks so it's very good for organized crime, not so good for treasury. in the area of terrorism. good in the area of organized crime. i did, actually, have a question about corruption. i think corruption is a really big issue. as you know, as mentioned, treasury has a robust transnational organized crime, but you can only do so much solely from within the united states. you want transnational partners, people in countries that you can partner with and work with, but the problem is, of course, who do you work with?

who is your natural partner? you can offer assistance, but who to? is that really the appropriate recipient of that assistance? i would greatly appreciate any of your thoughts on how to tackle corruption and practical cases or lessons learned that you guys have had. thank you. >> tom? >> i can answer. a couple great questions. first is to recognize the difference between the united states and almost other country in the world, and that is in our country, you are not immune from prosecution if you're a public official while you hold office. in the rest of the world, that's not the case. the wealthiest countries in the world, and developing countries with oil, gas, and other mineral resources in the ground, if you're a public official, you're -- you have immunity from prosecution while in office.

what they do is they take the money they get through corruption, send it overseas to a safe haven, and as soon as they leave office, they join their money and spend it in the safe haven or elsewhere in the world. the country is victimized while they are in office by bad governance, and when they are out of office, the fact the money is gone from the country. at least they were good enough to hate travel and spend money in the u.s. that they made. [laughter] but in terms of your question about dealing with the officials in that country, the problem is that they may be the only officials. you are trying to deal with an administration and some of the small countries or developing countries, even larger countries where there's a choice. as long as the country allowed the people in office to have the immunity, you're really are going to have a difficult time ever getting rid of corruption, and if you don't get rid of corruption, or at least neutralize it or reduce it,

you're not going to get rid of organized crime and the other threats. you'll notice and the reason it's important is if you look at the united states, if you look at the corruption cases, and, again, the fbi has, you know, primary jurisdiction for corrupt public officials, if you look at it here, if the republicans are in power, the republicans are in a position of power to hand out, to do other things, and some people within the republican party will take advantage and steal, and the fbi will investigate and put them in prison. when the democrats are in power, they have the ability to have a lot of influence, the control committees, to do other things that help steer contracts to their pals, so, really, you need -- this happens both ways. what i say is the corruption is an equal thing, and, also, by the way, public corruption and greed is not, oh, those chinese, they are greedy, or oh, those guys in nigeria, no, it's a human nature phenomena. we have as much corruption or

would have as in this country or any other culture in the world, it's just that this country does more to take it on than anybody else in the world. it is an important factor, but, you know, you almost have to deal with who you have to deal with overseas. that's the problem. >> okay. another question. yes, sir. the gentleman back here. >> yes, if drugs were legalized and tasked, would it damage -- >> state your name, please. >> sorry. i'm michael from los angeles, and if drugs were legalized and tacked, would it damage organized crime taking away the revenue and allowing law enforcement to go after other crimes such as human smuggling and intellectual property theft? >> well, certainly, it would change the situation there. there's been a mixed message sent for places where drugs have

been legalized. in canada, there is medical marijuana permitted, and the canadians say that organized # crime is teaking advantage of the fact there is medical marijuana permitted, setting up growth facilities and things like that. in the netherlands, there's been a substantial loosening of drug issues there, but interesting thing is it brought in a lot more drugs in the netherlands since they legalized marijuana to the point that starting this year, the netherlands prohibits any foreigner from going into their pot shops. the checks have legalized a significant amount of drugs recently. that allowed the police and the

resources of the czech republic to focus efforts elsewhere, but it has not done much for the drugs at all, and poe land, i believe it is, there's a fairly successful story of legalizing drugs and things getting better there, so i think it's really going to depend on society that you're looking at. if you have a society as large as the united states and legalize drugs, it's, you know, you are going to change the way the money flows, but it's not beginning to get rid of organized crime. it's just operating in a different way. >> other thoughts, liz? >> yeah, i think that that will do zero. yes, because of what was said, but also just look at howdy verse mid the portfolio of organized crime is today. i mean, they don't need to rely on drugs, illegal drugs alone.

yet if they were going to be legalized, look at the pharmaceutical industry. a whrot of the drugs are -- lot of the drugs are legal, but they are being pirated, counterfeit. organized crime is making a lot of money out of it. i think that legalization, per se, is not the solution to organized crime. i think corruption, we need to tackle corruption. >> and one more comment, i think that, you know, the problem is already created that organized crime, particularly in latin american countries has been able to make billions of dollars trafficking marijuana and other other drugs and other contraband materials. i don't know how successful we'd be, and i agree with liz about the success that might or might not happen from legal idahoing marijuana. the example used is when alcohol was legal in the united states,

you did not have involvement in any great way, did gaming, prostitution, normal knuckle dragging racketeering things, but not large scale threats they became. when prohibition goes into effect, it's a bonanza. they make billions. it creates the al capones and luckies and the rest of the united states getting involved in the importation or production of the illegal alcohol and the speak easies and the network to district and consume it. when prohibition is eliminated, too late to eliminate. they have now become a powerful, national organization. they have dominated the four largest industries affected by the unions, corrupted public officials, police, and regulators, all the way through washington. the elimination of prohibition

did not eliminate the mafia growth that had been allowed and created, able to flourish was then entrenched, and now they could move to other things, other aspects to make money, and it was too late to take them out then, and it's taken, you know, 75 years of coordinated effort and sustained attack to reduce them now, and we have been successful in reducing them, and the example i would give is if you watch godfather one, it is a very accurate depiction of the power and control in the u.s. in the 40s, 50s, and 60s. as a result of the statute, wiretapping authority and sustained attacks went from god father one to the sopranos arguing over vacant lots in newark, new jersey. that reduction of power and influence from 26 national families down to a handful was significant, but it took 75

years to do it, and, really, the elimination of prohibition did not weaken them. it was the continuing attack later that did. >> robert f. turner. >> i want to follow-up with your -- [inaudible] i'm bob turner from the university of virginia. i want to follow up on your comments. hollywood often pore -- portrays them as patriots who in times of crisis rallies to help the country. recently, i heard a story about how helpful they were after the 911 attacks, and i wondered if you want to address that? >> i don't know the particulars, but i know they were involved in rubbish hauling and corruption and taking the remains of people to places where they couldn't be found or sorted, so, you know, really criminal at the grossest level.

>> i was running the fbi at the time, had joint wiretaps, and our organized crime task forces going back decades proceeding 9/11. many task forces, organized crime terrorism, safe streets, violence crime in place for many, many years. the day after 9/11, we have our very patriotic members in new york saying, you know -- i'll leave out the expletives. those feds took us out of waste hauling, construction, the laborers union, which was involved at major construction sites, they did all of this damage to us over the last 20 years, but now the reconstruction and the knee jerk reaction after 9/11, we're back in business. we're going to send people to washington. we're going to try to go after the contracts. we're going to go after, as doug mentioned, the carting, the

waste hauling of the debris. one of the things that happened after the immediate response to ground zero was then to be just putting the material, the raw material, into dump trucks, taking it across the river to new jersey to landfills where teams of police and fbi agents literally, like prospectors, sifted through the debris, and i won't tell you the materials that came out of that, the human and other, but immediately, these guys were talking on the wiretaps, we're going to send that to our landfills and pep trait -- we'll going to get hands on money and jewelry and they didn't want this, and there was a huge argument after 9/11, who owned the debris? the insurance company, who is really a financial victim at ground zero, so that causeddeddics to put gps's on the trucks and monitor every single truck to make sure it

didn't deviate by ten feet from the route to the designated landfills where it was to go. that's your american thinking all these years we were out of business, but now, this is fantastic, we're going to make money again. >> i'm going to ask the last double-barreled question as to two possibilities for substantive intervention, and that is we put the ku klux klan largely out of business, that civil litigation played a very major role. should we in some ways, or have we already done it effectively, unleashed civil litigation against organized crime? the second question is, one look at the sources of criminality in money raising that kidnapping and payment of ransoms is a significant part of it. should we be more effective in

seeking to criminalize payment of ransom to the groups, and what is the comparison there in relation to what we've done on terrorism? anybody like to address any part of that double-barreled question? >> i'll take a shot at civil litigation. if you create a sufficient financial incentive, you get the litigants. that's always the way. i suspect the challenge is whether anyone thinks they can collect for a claim. there's a lot of claims out there, and often people sue terrorist organizations. the federal government, you know, obviously, strong civil forfeiture actions that can be effective too. the challenge is always finding and getting hands on the assets. >> if i could add to that, professor blake at notre dame would be proud. he was not proud for ten years after the statute was passedded in 1970 because nobody used it or figured it out until he said, hey, look at this tool. an example of civil -- the civil

provisions are powerful and actually enable the success of many of the other prosecutions. for example, i mentioned that they controlled the four largest labor unions in the u.s., teamsters, laborers, long shoremen, and the hotel workers. under the civil provisions, when those gangsters were convicted, civil suits were filed by the department of justice, removing them from ever being allowed to be a member of a labor organization again, so they couldn't, on paper, have no-show jobs, or in reality become union stewards or other union organizers used as front to maintain the control of the gangsters, so the civil part was enormous when iced throughout this period, 80s, 90s, and since to remove them permanently from ever participating in the labor organization. they couldn't go back to what they knew best, labor racketeering. >> anyone want to talk ransom

issue and then the last issue? >> i'm concerned with criminalizing the thing just to pay ransom because you may find a lot of people, a lot of families, desperate, trying to just bring a loved one, and, you know, i -- i have problems with that. i think it just -- we will be criminalizing the wrong individuals. >> thank you very much. i want to thank the panel for just a superb presentation. [applause] >> thank you, john, for a wonderful, wonderful panel and i want to thank the core sponsors of the annual review. we have from the center on national courting the law, georgetown law, particularly the dean and laura, and major

running the next panel and sharing it on cybersecurity and its future. i particularly want to thank the center on law, ethics, and security, duke university school of law, and charlie, who ran the panel yesterday, who did a wonderful job on authorization for the use of military force, and, lastly, the center for national security law, which is not only john norton moore, but a special person who is, right now, has his eye behind the camera, and that's bob turner, and these schools have been extraordinary in support and development of the area of national security law, so i want to take a 15-minute -- and i want to thank them officially for what they do. i want to thank the pammists for being fascinating, and all the room would love to remain as hostage for you, but we have to move on, and we'll reconvene in 15 minutes, and we'll have the panel on cybersecurity and the future. thank you very much. [inaudible conversations]

>> this painting was ornlingsally painted as my grandmother's official white house portrait. in the 1960s, lady johnson looked for portraits of first ladies to hang, rehang in the white house. she thought that was important, and she looked high and low, and she could not find my grandmother's official portrait. she called my grandmother and said, mrs. truman, do you know where the painting is? we can't find it. my grandmother says, yeah, it's on my wall. mrs. johnson said, you really shouldn't have that. it belongs in the white house. my grandmother said, no, that's my painting, it's on my wall, and that's where it's going to

stay. i think they tried a couple more times, but eventually, they gave up. >> watch this on c-span.org/firstladies or see it saturday on c-span at 7 p.m. eastern, and we continue the series live monday as we look at first lady mamie eisenhower. >> more now from the national security conference. a 357b8 looked -- a panel looked at combating computer crime, there's attorneys from the white house, justice department, fbi, and

homeland security. this is an hour and 45 minutes. [inaudible conversations] >> thank you very much. for those of you who -- the first panel was a little bit too early in your rhythms. i just wanted to bring your attention to two outstanding breakfast programs on the horizon. the first is on friday, november 15th. the keynote address is by ambassador mark grossman, vice chair of the cohen group, former undersecretary of state at the department of state who will be talking on the diplomatic campaign in afghanistan and pakistan. the second one will be a couple weeks later, december 4, wednesday, keynote address will be by mr. wan, senior adviser,

transnational threats project in homeland security counterterrorism program. he will be speaking on treasury's war, unleashing of a new error of financial warfare. one final reminder, when this panel concludes, we have to clear the room, just like we did yesterday, so that the hotel can set up for lunch, about 15 minutes, and then we come back in and start the lunch program. it gives me great pleasure to introduce the moderator this morning, distinguished visitor from georgetown law. thank you. [applause] >> thank you, everybody. i'm very excited to be here, and i think we have a really terrific panel. we're here it talk about cybersecurity, and how we address the significant and growing threat from criminals, hackers, terrorists, anachrists,

and others who are intruding, disrupting, and potentially attacks our private sector and government infrastructure. i don't feel like i have to say very much about the threat. you have a lot of background. particularly, in the crowd. it -- not too many years ago, if you start talking about cyber, cyber security, most of the eyes in the room would have glazed over, and, you know, not that people didn't care about it, but it was technology, sort of unfamiliar, didn't, you know, feel like the national security issues we're used to dealing with, but now i suspect everyone here is paying a lot of attention to cyber and the issues because the threats that we are facing have only increased and increased quickly

and the efforts to address them are progressing, i think it's fair to say, a little more slowly. today, we're very lucky to have a pam of the people whose eyes have never glazed over at the -- on the topic of cyber or probably anything else, and i'm -- these people have been thinking about cyber intensely in many cases for many years way before it was cool. the -- so, really, the collective experience here and expertise is really impressive. we're going to focus this panel on the relationship between the u.s. government and private sector in cybersecurity, what are the challenges, where have we made progress, where we're on the right track, and where we might need to do rethinking in the relationships.

let's get to it. i'm going to introduce the panelists, and then we'll run this as a conversation. the panelists' bios, i'll give you information on them, but there's a lot more impressive stuff in them. read them in the materials. i'll start with lee nard bailey, a special counselor in national security in the computer crime intellectual crime section. he was also recently and associate deputy attorney general and responsible in that capacity for managing criminal and national security cyberpolicy for the department of justice. he had a long career in the justice department, working on crime and cyber issues. leonard has a ba from law school.

steve is senior vice president of legal affairs, general counsel, and chief risk officer of the internet technology firm, cloud strike. he's also an adjunct faculty member at george washington university, and a cyber columnist for "security" magazine, and prior to joining crowd strike, steve was at the first for 17 years, deputy assistant director in the fbi's cyber division, prior to that, he organizedded and led the fbi's cyber intelligence program. he's also served in the office of director of national intelligence, and he's a graduate of duke university and duke law school. laura donohue is a professor of law at georgetown law and director of georgetown's center of national security in the law. she writes on national security and counterterrorism law in the

united states and the united kingdom including on emerging technologies. professor donohue held fellowships at stanford law school center for constitutional law, stanford university center for international security and cooperation, and harvard university john f. kennedy school of government where she was a fellow in the international security program as well as the executive session for domestic preparedness. she received her ab in philosophy from dartmoth, ma in peace studies, her jd from stanford law school, and a ph.d. in history from the university of cambridge in england. wow. jim louis is a senior fellow and director of technology and public policy at csis where he was nice enough to hire me a while back, and at csis, he writes on technology and security and the international

academy. jim has authored more than 90 publications. he's an internationally recognized expert on cybersecurity whose work includes the best selling curing cyberspace for the 44th presidency. before joining csis he worked at the departments of state and commerce as a foreign service officer and as a member of the senior executive service. he received the ph.d. from the university of chicago. last, but not least, we have daniel sutherland who is the associate general counsel for the national protection and -- national protection and programs director at the department of homeland security. in this capacity, he is the primary legal adviser to the undersecretary, and he leads a team that provides legal services to the office of cybersecurity and communications, the office of

infrastructure protection, the office of biometric identity management and the federal protective service. he previously received in the senior national intelligence service at and prior to that, he was at homeland security providing legal policy advice to three secretaries of homeland security as the first officer for civil rights and civil liberties at the department. he started his federal career as a civil rights attorney at the u.s. department of justice. he's a graduate of the university of louisville and university of virginia school of law, and he's also an adjunct professor at pepperdine and george washington university. so let's get started. i'm going to start, dan, with you, our topic, today's relationship between private and

public in cyber, and a key effort is to share information between -- promote sharing between the private sector and government about vulnerabilities, threats, and intrusions. can you talk about what from the dhs perspective those efforts are trying to achieve and how they are working? >> good, thank you. i'll try. i'm going to describe some of the information sharing programs that my client administer, and that hopefully sets up the other panelists to talk about specific approaches to the issues. i think information sharing is one of those terms that can make anybody's eyes glaze over. i'm going to try to put it in plain english to the extent i can what the programs are about. dhs has very broad speedometers in cyber from the coast guard's role in cyber com, cbc, i.c.e.,

secret service investigating cyber crimes. it's central to dhs's cyber role is the wok that the client, the national programs director does. it focuses on increasing security and resilience of critical infrastructure, federal and nonfederal critical infrastructure for both physical and cyber threats making a connection really there. let me just briefly talk about what we do in the federal critical infrastructure because it helps in the discussion there. our role there can be hands-on, direct as we work with our colleagues and other federal agencies. we provide technical capabilities to allow other federal agencies to protect and secure their networks. for example, we have a service called cdm or continuous diagnostics mitigation, a scanning program that allows them to diagnose vulnerabilities in their system, allows them to understand what -- how their networks work and where vulnerabilities might lie.

we have a capability that's referred to as einstein which uses signatures or indicators of known malicious activity, and when a signature is recognized, it allows the networks to filter that so that that dis not enter a network. information from both einstein and cdm, then, are gathered and sent back into the system so that everyone is learning as we go through. that gets -- there's a parallel there, i think, to what we talk about in terms of information sharing. in terms of the private sector, how we partner with the private sector, we're working with people in the private sector to help them with stand attacks and recover from incidence. let me break that down just a little bit. first thing is we help companies understand their risks and manage their risks. for example, we provide bulletins with information about threats and vulnerabilities that we have fused from a variety of sources and put bull tips out publicly. they are on the website broadly

distributed. we have assessment team, help companies assess networks to make recommendations about how to improve their security. that's preincidence. second, when a company is a victim of an incident, dhs provides help in assessing the scope of that incident and advice and recommendation on mitigating the incident. timely, we take information about incidents, dissect it, understand it, analyze it, and push information back out to others in the system so that, again, there's a continuous learning cycle and information sharing really has to be that kind of continuous learning cycle and, i think, provoke issues that we're talking about. i think it's helpful to think about the understanding of the information sharing is not a monolithic concept, producing the difficulties we have in coming to grips with all this. it may be obvious, but i have to

point out there are different types of information that we may want to share and for different purposes. there are different degrees of sensitivity in the information that we have. some classify, some unclassified, and that, therefore, promotes a variety of restrictions, and there are different rules for sharing, depending on who is doing the sharing and who is doing the receiving, and i think we'll discuss that as we go along. let me just finish by giving you kind of a spectrum of some of the information sharing programs that we're doing. there's a wide spectrum. first, we do work on vulnerability alerts. i just mentioned this. we send bulletins to a broad range of people who get this information. as i said, it's even on the public website. the information could be already publicly available, but not generally known. the goal is to allow a broad range of entities to use that information in developing

network security. on the next part of the spectrum is more focused or more targeted information and more targeted relationships, and in this context, we often have actual written agreements between us and the entity we share with, and in this context, we share threat information and also took a step further doing what's referred to as operational collaboration. you not only share information, but you sit and work through issues. we have the national cyber security and communications integration center, the mmcic, where people can sit, liaison, and have that operational collaboration. that's bilateral sharing, the term they use, which is both back and forth, government and private sector back and forth, and, hopefully, that has a multilateral effect as it goes to the private sector, it spreads out. the last part, and i finish

here, in terms of the spectrum, broad public audience, a tailored audience, is a very specific audience, a program call enhanced cyber security services, and this includes classified data. we negotiated agreements with a sect set of certified providers who have demonstrated the ain't that they can handle and protect classified information. the information shared there is more sensitive, obviously, and under this program, those companies are then able to package that information and use it for a broader range of helping others in the private sector to protect their network and security. there's a range of information sharing programs, again, for a variety of purposes. with restrictions in data and purposes we are accomplishing. that's a good overview of the information sharing programs. >> terrific, thank you. i'll turn to leonard and see if you can, from doj's perspective and your experience, add to that? >> sure.

so let me start by saying i submit information sharing in the arena of cyber is both difficult and necessary. when i say that it is necessary, i say that it's necessary in a way that it may not be quite as necessary in other areas. what i mean by that is when you deal with a cyber incident, determining first whether it's a cyber incident takes information. in other examples, for instance, terrorism, you open a window, and you see a bomb crater. you'd see some sort of carnage, indication of a problem you need to address and respond to. cyber is different. the best indication of activity we have in cyber is communication. communications that are doing something or affecting a network in various ways, and it would so

happen that in our legal regime, communications are regulated or access to them are regulated necessarily. they catch on first amendment, obviously, fourth amendment issues, privacy concerns, and so you are necessarily dealing with an environment in which you are trying to, as someone who was dealing with cyber security gain access to protective data. we need to get this information to determine whether something's happening, but it is, in some ways, by the force of law made more complex. the complexity is then, something dan was talking about there for a moment, this information sharing cuts across different entities, so you have sharing that has to happen among private entities, by and large the constraints that people

speak of in that area largely think with appty trust concerns; although, i have to say we have difficulty talking to in identifying exactly what antitrust concerns may be when they are actually sharing cyber threat information which is what we are really talking about. them, of course, you have sharing from the u.s. government to the private sector, and that's something that, you know, dan was speaking to, a lot of product is going out to the private sector in order to help them better protect their own network, and then there is the effort to get information from the private sector so that the government is in a better posture to respond to and mitigate any incidents that occurred, and, of course, that is the area where we find the greatest difficulty. that's where you have your fourth amendment concerns, and, again the web of regulatory statutes. that's that approach, the communications act, the wiretap act, the statutes under fisa.

there are statutes that we have set out there to regulate how the government gets information. in the cyber security space where we've attempted to figure out how to do legislation, this is a challenge, putting all of this together, and figuring how and when those statutes normally operate give way in the interest of cyber security while at the same time protecting sigh liberty and privacy, and that becomes a line drawing exercise that i think will be a push and pull for a little while still to get just right. i'm something of an optimist, and so i hope we made some headway in the discussions in at least identifying certain issues. there are some issues that come out and have been teased out that relate to things like min myization in how that's used purpose based types of application of information

that's obtained. it's potentially saying, i think, really, the difficulty in information sharing is the ability to reach into the soup of data that is content, noncon tend, metadata, reaching into the soup, and, one, abstracting a good image of what it is might be a hazard, and, at the same time, identifying what you need to do about that hazard, again, complex, but very necessary. >> great. laura, leonard has raised some of the legal and privacy issues he sees with information sharing, and i'm wondering if you could give your perspective on that and many concerns or additional thoughts you have on that? >> thanks very much. so i'd like to broaden this just a little bit to address this question, which is looking at cyber security generally. there are more than 50 statutes already in place that deal with cyber security. the problem is that since 2002,

there hasn't been kind of a comprehensive cyber security bill that's successfully gone through the congress. the reason this matters is because there's many different aspects of cybersecurity that needs to be addressed. we talked about information sharing, and with that, protection of the critical infrastructure which dan addressed, dhs's role in that regard, but there other also huge issues on the table like reform, a federal information security management act introduced in 2002 under pressure right now and criticized because it focuses more on procedure and compliance than on risk analysis, it's expensive, there's a data deluge going on in terms of federal agencies so they expect a 47% increase in data by 2015 so there's concerns. there's concerns about the criminal realm so we have seen proposals to deal with breaches resulting in theft, exposure of data, cybercrime, international efforts, there's emphasis on

research and development, cybersecurity work force bills before congress, and the points to be made about all the legislation for us, those who follow it regularly, there have been more than a hundred bills in three years, more than a hundred bills introduced, and what's interesting, this goes to leonard's point, in terms of us starting to reach a consensus or agreement on some of the issues, that number annually introduced is actually decreasing. in the 111th congress, there were more than 60 bills in, in the 112th congress, there's 40, and in the 113 congress, there's over a dozen; right? the actual volume, thank goodness, is tapering a bit. the reason why it's not. addressed yet and there's not been broad agreement in part really turns on the information sharing and protection of critical infrastructure question. there's really four concerns here. first is the legal bare barriers, and referenced these.

there are a myriad of structures in place now, and they have to create barriers so they range from communications privacy, children's privacy, privacy of financial information, privacy of government collections, medical records, miscellaneous records and activities, confidentiality, and so on. there's many statutes in place. assumedly, many of these could actually be changed or amended, but then you're still left with the constitutional concerns that prevent, so there are first amendment concerns about the protection of speech and associational rights, so association privileges, political privileges related to that, anonymity in public space, how that works out. there's serious fourth amendment issues that present with search and seizure, and we can talk about how fourth amendment concerns come into light with emerging technologies and what appears to be on the supreme court growing tension of the

trespassing and those woo come down on application of the reasonable expectation of privacy, and fourth amendment concerns present, fifth amendment, due process concerns that are raised here, ninth amendment issues so there's a number of constitutional issues that come up. ..

i think the predominant concern is qea of why we're sharing information. what is the strategic value of information sharing? there might be some tactical advantages here and there to the information sharing that you've heard today. it's really on the margin. what we hear a lot, i would equate it to selling vitamins, exercise programs and band aids. nothing is wrong with any of those.

i like them all. i take my vitamin, don't exercise when i should, and use a band aid when i get cut. we're not in the environment. we're being hit by nation-states and the militaries and extremely organized crime not a resolution for vitamins, exercise programs, and band aids. in fact, what you'll find it's really not a resolution for victims to constantly playing defense and stirring up the system. it's just possible. it's never going to be possible for an agency or a corporation to become impenetrable to the vast number of threats that we see today in our interoperateble dynamic environment. it might be possible if we bunker down and didn't connect to other systems and retain static environments. it's not the situation we're confronting here.

what we're seeing is a failed strategy where our security gets worse. we have been predominantly focused on information sharing. and which the government hide under the table to lock the door. when it doesn't work, there are more warnings. the private sector is saying e don't mind being warned. i like being warned there's incoming. but i had hoped that while you were warning me you were actually going after the bad guys and taking them off the playing field. whether you're in schools it's a bomb drill in the old days. that's okay. i could hide under my desk for five minutes, five hour, maybe five days. it's been 15 years. come on. this is not going get better. and the problem is we haven't put our resources to threat

deterrence. in the real world we wouldn't operate like cyber where we victimize and revictimmize the victims and tell them they haven't done enough to protect themselves. constantly having protection as we see as limited return on investment. at the end of the day, if we don't change the playing field for threat deterrence. to make it so that the bad guys can't keep trying and trying and trying with no negative consequences. this is the way it's going to end every time. and so we do need environments where information sharing is fostering a new strategic paradigm. better atriewx. and real penalties. when the government knows who the bad guys are they can do something about it.

ten years, 15 years later, it's the same or worse situation. after awhile there are break ins we should threat deterrence. we have alarm and camera and alarm and camera do nothing to make the environment less penetrable. they do is shift the burden away from the victim. they make information sharing about going after the bad guys. the alarm is for early detection. the video for atry -- atry biewtion. the idea we know you can get in. now it's about you.

why we haven't made the realization. we have to different what we protect and figure out how make sure we there threat deterrent model and deep doing what we're doing on the vulnerable mitigation side. the same extent with locks on doors, band aids. we are hemorrhaging right now. it cannot be the case when you come and see the place of business. completely raided maybe your integrity of your products are changed. what is my patch management strategy.

and the penalty it will require. >> okay. so i had some more questions about band aids. i think maybe we should since steve has raised a very interesting and important topic now i would like to get less leonard, your response and hear from jim and anyone else in response to what steve just

raised. we have to be able to walk and chew gum at the same time. so while we're doing all the vulnerability mitigation activity. we obviously should be dreaming with the threat actors and moving the threat. we should be on the prevention side building safer, more secure software, and hardware that doesn't invite intrusions. right. and we should be able to -- on the back end, mitigate and recover from instance quicker because we're not going to prevent every instance that happens.

we should be in favor of. we do in fact go after it. and greater success in the international realm. we are getting large scale data breach actors in. i guess the only thing i take issue is that there isn't threat mitigation activity happening on the other side. there's much to be done there. again, because of the complexity of the networking and the way they work and the ability to get information in an international environment. but that work is in fact occurring. again, i would be very much in favor of going after it in a concerted way. the one thing i would toss out,

it does work. there was a prosecution of one of the most successful data breachers on the planet, and still may hold the record. he was convicted and sentenced to 20 years. when he and the ring were taken offline, there was an international -- noticeable in data reach activity. we do know in fact going after actors matters in doing that -- >> i agree with you. >> great. okay. i told her not to put me first. i'm regretting it now. [laughter] i don't do cybersecurity conferences anymore. it's like "groundhog day." there's the regular opponent like the albert. they are defeatable. they are measures you can do

defeat them. think of the high level opponent. the fsb. 20 or 30 criminal groups large any in russia have the equivalent capability. russian domestic intelligence service. they are unstoppable. there is nothing you can do. if they want to get in they're going to be be getting in. they're going to be on the tail in thirty minutes. can you beat that? we have a hard set of opponent. and different strategy for dealing with them. the u.s. has a strategy. it's really touching. i feel really glad. and it's three parts. a diplomatic strategy, published bit white house. we are actually doing pretty well on the diplomatic side. some of what steve was talking about. and the budapest convention on cyber crime. we have made good progress on the diplomatic side. there's the snowden turbulence. we'll get over it. the u.s. will be dinged for the

foreseeable future. i know, we're going talk more about the international stuff later. on the military side we're doing quite well. probably one of the three best in the world. it's touching to. you can read our strategy. it's top secret but you get it on "the guardian" website. [laughter] they get upset when i say this. i don't work for the 0 government anymore. but we're doing pretty well on the military side. what we've discovered is surprisingly shortage of resources. we don't have enough bodies that know how do it. there's an effort to crank up the body. the place we're failing is on the domestic side. there's a whole set of reasons for that. the main reason it was political gridlock. i think you have heard it from the panel lists. america goes through these. i think it's the third constitutional crisis in the last century. when we're in the little periods of unhappiness, nothing is going to get done. this congress isn't going pass any legislation. the next congress probably won't

pass any legislation. unless there's political complaining. what are we doing in the interim? we offer magical solutions; right. so information sharing qualifies us in magical solutions. say the formula and maybe it will be better. you don't want to say security i know it's a problem. i'm not going do anything. you say no, no, we share information. i told you 30 minutes you're going beat that with information sharing? i don't know if you're going implement it either. so when you talk to people what has changed? this is starting to get bored attention. that's been a goal for some of us for many years. getting the attention. you talk about ice glazes over. it's still difficult. i talked to one investment firm and the ceo said i don't want to know and don't care. i make my mark if i make the money i'm expecting to make i don't care if somebody makes money. when i told them he was listening to the cell phone and got excite what happened is the guy doing on the cell phone?

but you have that sea level attention the board level attention and that will change thing. information sharing is a good topic to think about some of the obstacles we have in developing a private response. i'm not holding up government as an exsemiparticular of anything at the moment. there's a real reluctance. the issues that come up are -- liability and risk. there's a risk to shareholder value if you report a significant loss of intellectual property. a significant loss of financial data. now i know these have occurred. how do i know they occurred? hold on.

nsa spies on other people. and so we see what the other people have collected from american companies. of course, the law prevents us from saying here is a big bank. they lost this amount of money. we thought we can't say anything. so the public debate is miss informed in some ways because of a t not established that precisely. there are legal obstacles to information sharing. you've heard about that. i don't know about the antitrust. all the companies say antitrust. i don't know how true it is. the privacy obstacles are more important. there are a few sectors that made progress. i look at financial service and telecom. they made progress because it's in the business interest do better at cybersecurity. other places very little progress. so easy and energetic 12-year-old could probably be a good cyberattacker. i've had some unusual experiences this year. and the one i think the most unusual for me was a big international conference --

which was the shut down? october 17th. i thought people expressing pity for the united. we weren'ted the feared super power anymore. they were feeling sorry for us. hopefully we can change that. but i think while we're in the political situation, it's not going change. and until the political change occurs, we aren't going to see progress on cybersecurity. we aren't going see progress on information sharing. outside the thijts that the executive branch can do without additional authority.

and i think senator chambliss. odds of the bill passing even though it would remove some of the obstacle the odds passing is a good bill. we need it. it has no chance. that might be a good way to end on a -- cybersecurity. [laughter] >> i'm kind of depressed right now. laura? >> i agree with you. i don't think it's going to go anywhere. i also agree that information sharing is being seen as a magic bullet. in many senses it's, as steve noted, victimizing the victim in some sense. i disagree is a deep cynicism about congress. that's what is going on. it's just that we're in an unhappy period and just not able to get the act together. and the reason i disagree there are serious legal and

constitutional concerns here. so, for instance, take steve's suggestion about greater office of capability and pdd20 that jim mentioned. you know, we have some very difficult legal questions about covert activity underneath the 1947 security act. and the intelligence collection or traditional military activity planned or operational. to the extend falls within that. on behalf of the government and under skinner you are compelled to do it and stowngt fourth amendment concern. the fourth amendment issues are quite significant that have to be addressed. then there's also an an elephant

in the room which we haven't addressed yet which is yesterday morning headline. which is the nsa collecting information on industry as well. private information. i think there is a healthy level of mistrust between industry and the government and the idea that information sharing could somehow take place in a siloed universe where nothing wrong would be done without exposing them to liability or hurting them in some way occurs. i think it ignores the considerable concern that was certainly yahoo!, googling with and others are expressing right now information sharing with the government. i was talking to one of the people responsible for these. and i said, what is the legal thing you do? and he said we try to do it

under title 10. if a problem we go it under title 50. we don't have a problem carrying out offensive operations nap said, there's no such thing as cyber deterrence. there are issues that congress needs to work on, most of them are domestic, but in term of our military capabilities, fortunately -- i'm not cynical about congress. i'm cynical about this congress. [laughter] in term of our military capabilities, the military is not waiting for happy words from capitol hill. >> leonard,ic you wanted to respond. and dan, i'll see if there's anything you would like to add to this discussion. >> i i have a brief point to make. which is a meta and on the policy level rather than legal. but i think when i say that signer is hard. having done it for awhile. ic one of the reasons why it's particularly hard -- i'm sitting in a room of highly educate people.

everythings that on the keyboard is magic. what is the computer doing while operating? what are the underlying communications that happen between you and the provider? having a cfght on privacy and information sharing in this context that is fact-based and rash tell me. try back to fiction when they're -- but the fact so you a baseline community consumers, all of us, who don't exactly understand what we're working with makes it, again, extremely difficult. and so much of this discussion about privacy and information is being had in a meduated environment. we need people to tell us

whether the information we're leaking is important or not. whether it's private or not. and some is easy. when your e-mail if it's not done legally. but there are other aspects of this that name so hard. just a way to toss it to you. we are trying to figure out what information -- getting a baseline what the information is, what it is. it's very difficult in a tech know phobic world. >> dan? i have trouble seeing you down there. do you have anything to add on the privacy issues and the legal concerns that have been raised? or anything else? >> well, i think started with did i have something to contribute the debate or discussion. i hope it's a point that audience appreciate. my title as associate general

counsel not director of strategy and policy but people and think tanks and business you can debate these subjects our role is trying to help the client figure out the legal way to move forward here, but i think in term of privacy protection, in information sharing, the information sharing a corner stone of it has got to be trust and confidence in one another. and so privacy is absolutely critical and built in to the whole project. and they do nap i can thought about a little bit more. underlying the whole conversation has got to be a level of trust and confidence and leave in one another and a lot come back to privacy preace we think is a key element that dhs can bring to the table.

the framework is in part of a response to a failure of do you

think it's a useful effort? where do you see it going? >> dc interest at the end of the debate last year, when you speak to individual senators or members, they understand the problem they like do the right thing. as part of the reaction the white house in august early august decided it would put out an executive order that would use the existing authority of the president over the regulatory agencies.

he has control over and hopefully influence other regulatory agencies like fcc to set standards for what adequate cybersecurity would look like. so it's a good plan. the paragraph you want to look at in the february executive order is paragraph 10. it's the one that said once developing the framework regulatory agency should go and compare it to the existing regulation and see if they are adequate for cybersecurity. please do this by 2015. so we're not actually what we call a quick cycle here. but it's probably the best we can do. what does it mean? the framework, you know, i was talking the nist people who were working on it. the beginning of the process.

it attempts to rectify it. it's a concise document for nist. it's 44 pages long. and it's best to think of it given how nist does things as an bibliography of steps you take to improve the networking security. it doesn't actually tell you how to get it. it's getting a menu in the restaurant and you pick. what are the implication for the audience. there are two major changes that reshape the legal landscape.

if you aren't exercising due diligence you should be liable. and that's the path we're on. this has been kind of a goal for more than a decade for many in the field. how do you get companies to say this is what you must do. we're at the point where we can say to people do the things and you reduce risk by 80% or more. if you aren't doing them why aren't you doing them? due diligence liability. that's the implication of the nist framework. and right now nist is pretty much done. there's a hand over to dhs and dhs will get to implement this in some fashion. >> laura then dan. actually question for you. executive order 13636. it would make the statutory requirement from nist. i'm a assuming you're posed to that that. >> i got a note saying please don't trash us in the press.

[laughter] we took the hard part out of the bill. he's doing a great job. he knows what to do. he's trying to do it. but i think judging from remarks i've gotten from his staff he doesn't believe there's a chance. i think jim described it well. in term of timing, the framework is out for public comment. you were supposed to comment by december. there's been a number of workshops building this over time. it's not surprising. but i think private industry and

issued finally in february. but if i could expand on it, just a little oong l to it. inspect this environment where congress was not able to pass legislation. the president's decision as jim mentioned was try to encourage federal agencies to do what we could under current authorities nist developing the framework is one way that we can make a contribution essentially trying to establish a set of industry-wide best practices that would allow people to see where they need to be shooting to. at the same time another part of the executive order asked every agencies including dhs to try to think through a set of incentive that could be developed to encourage adoption of the framework or framework like it.

are within the ability of federal agencies to do and much still require congressional action. there are areas such as building a cybersecurity insurance framework or industry. so that underwriting practices would drive them. it's an breasting compliment to the development of a frame work. how do we incentivize people to

get there. start by saying i'm a huge champion of nist. i think they are incredible at what they do. i'm not a day goes by we're not taking advantage of something that came out of nist. regulation regulatory. it doesn't talk about going after the bad guys. it talks abouted government warning the good guys that they are coming. you have to tell the good that the bad are coming. okay. it talks about best practice. it's not best practices for soldering metal. it's best practices in the dynamic environment. the best is defeated tomorrow by the enemy who pivots and shifts. what we've seen in the area of

security is focus and again it gets back to focus. it's not that good cyber hygiene isn't good. i guess it's in the name. it's good. is not getting the same value it used top at the beginning you have certain base layers are you are getting more than the dollar wort. you're spending a dollar goat a dollar. what we're seeing is diminishing return. we see negative return. as we start building the best practice, the enemies overtake

that. it mean our effort increase the problem. we are spending dollars and making the problem worse which is hazard for good people to accept. then the bad guy spends $50 and buy a 30-foot ladder. the government pats itself on the back for warn us that the threat landscape has changed. the bad guy has a 30-foot ladder that ask overtake the best practice. you know what you need now? a 40 foot brick wall.

for wondering how it ends. but nist -- this is why i lost nist. nist recognized the issue. when they sought public comment. they actually asked for comment about metrics of what success looks like in the environment.

i could block 999 of those a minute but one gets through every minute of the day that completely penetrates my system. we have to think about what the role of government is. we talk abouted a fourth amendment and privacy concern. a very government centric view of the problem. the private sector through the technology and market force and transnational organizations including nongovernmental

organizations can't help dwient rules their own group.

so i think you're right. because all of it has government centric. there are basically five approaches taken for the info sharing new procedures are needed in order do this. and substantiatively you have to limit the disclosure of certain information to other entity. for the companies or privacy. privacy concerns. but all of these are governmental focus. like none of them actually transfer authority power agency to private industry and power them to defend themselves against such threat. we can have a lot of fun about

-- is if going to make my company more money. that's a angle you have to take. what you're beginning to see as ceo do the calculation of risk. and the question i usually ask now is does your board have a risk committee? and most people say yeah. and i say does your board risk

committee consider cyber risks? the answer on that is a little mixed. it's one of the metrics we can use to see how it's changing. is the board thinking about risk when it comes to cyberspace? one brief point. i've been brief supported my colleague here. one thing i want to toss out. let not concern about the lens that is used discussing the issue. that is what we have seen in cyber. it's just another expansion of other activities of crime. of spying. but of activities that are constant. that in reality we are not going eliminate. spying is not going disappear from other countries. and neither is crime.

i'm from an agency that dedicated to minimizing that as much as possible. but no one, i think, said it will be eliminated. i think of this environment we're dealing with threat mitigation. we're going mitigate that threat. saints vulnerable. we're not going eliminate vulnerabilities unfortunately. the one thing i have on that is in other areas we have agreed, for example, you don't drive cars when they're going explode. we think it's unacceptable. having planeses that tumble from the sky is like wise unacceptable. having hardware immediately subject to vulnerable to infryings is unacceptable. actually it's not. we accept there are updates provided to the computers because they are in fact.

perhapses inherently subject to some vulnerable. i make the point so awe live in an environment we are mitigating the problems.

in a way that is very even handed to address the issues that -- >> steve. holding it up. i can say that. i would rather start on the highest end of that question of where the private sector should be and touch upon some of the comment i've made earlier. which again would require a sort of par dpiem shift. a paradigm shift, which we try to realize internet and technologies from a security perspective have differentiation. it's not the case that the top

secret computer that i used to use for the government should be the very same computer with the very same protocols they could buy in any electronics store. infected with malware. but obviously it could have -- destroyed our information base. the first thing figure out what the technological solutions are. it might be funded by the government. there's -- come up with hardware, software, and protocol that differentiate between security and privacy

model. i think there might be a happy coincidence here. in which some of the areas that we need the greatest security happened to be the same areas that require the least amount of privacy. really have focus after that. the first -- it was the idea. different machines with different operating systems ton of each other. after that became realty the focus was on bandwidth. after that the focus on speed. after that the focus was of the engineering community was on privacy.

so i think that's the first level. where can we have better systems that are interoperateble, internationally that promote environments for detection and atry biewtion that with our civil liberty and privacy requirement. can be more easily resolved by the private sector that would say if you want to eerpt in the platform with the hardware and the protocols.

it may be civil lawsuits. it might be engaging in name and shame campaigns. whatever the issue is, right, this notion that the model that we're looking toward might not be an agreement between governments fundamentally. an international agreement between where does that leave us

without the larger strategic vision? what you're seeing now the private sector similar to government are operating differently depending on where they are. we saw an internet company security company abroad that actually broke in to a pla infrastructure in how hong kong by breaking down the passwords, getting in, and looking through the information publishing that

for the security saying here where the bad guy infrastructure is. there was a debate on the active

defense side. certainly i've never, in favor. i'm strongly opposed anything that looks like vigilantism. getting a pound of flesh for a pound of harm as a pure matter of revenge. i think there's a lot that doesn't fall in to that category. i think when people speak about active defense, there is some group that pleadly drives toward models.

technically unlawful whether it's done in a necessary and proportionate way is justified under law. that would be true of someone who steals someone's property running down the street if someone were to say where you able to tackle somebody, hold them down on the streer if a period of 15 minutes. you rightfully get the answer.

in we restraint in order reengage the government. to harm that unless the private sector acted would be met with the harm. >> okay. thank you. steve. i want to get to the audience but is there i think we have a couple of -- briefly jump in on this. laura first then jim? >> i take the point. the electric you use.

grow life for marijuana plant. that's the search under the fourth amendment. similarly if you're not at home the electric use indicate the idea you can figure it out for the inform would be open to challenge. the fourth amendment protects person affect houses, papers, that information against searches. so you to have probably cause and have to have supported by oath of of affirmation. >> can i respond. directly addressed to me. i never suggested that when it reaches the doorstep there wasn't a privacy consideration. i was talking about the electric power generating grid itself. >> i'm going talk fast.

i'd better not talk fast. for the last four years i've been conducting with the permission of the government regular talks with the chinese ministry of state security and the people liberation army about cybersecurity. if we find someone doing something, an american company, and we bring a case to the fbi will you cooperate? the fbi representatives in the room said yes we will cooperate in investigating and perhaps prosecuting that american company. just something to bear in mind. the legal frame work for this

internationally is interchanging. group of the government expert put a report endorsed by the secretary general and the general assembly that said international law applies to cyberspace. national sovereignty applies to cyberspace, the u.n. charter applies to cyberspace. there are borders in cyberspace. get rid of the old dot-com stuff. and states are -- this is now the new international standard. so think about how the world will change in the next three years as people begin to move down the path of moving cyberspace from being this dot-com vision to just another extension of the national framework for international relations and national security we have now. >> right. okay. why don't we see if we have any questions?

trying to combine some of the points made about pp20 the presidential director. the point of sort of the band aid being insufficient how we need to deter. i think need to be addressed in large part by the president action top secret available on "the guardian" website revealed back in july that authorize offensive and defensive but even the defensive sort in the middle deterrence. but offensive cyber effect operations. the target list associated with the revelation that the president authorized. any kind of congressional issues just by the president alone. but regardless that would seem to be exactly to the point of

their being a failure deterrence by the government. it -- if it's not. maybe it gets to the meta issue i don't understand what is happening with the compute per. the term are abstract. it sounds like the operation and target list. isn't that the government doing something to directly deter? if it's not. why not? is there something about the mechanics that don't equate to the actual deterrence? thank you. >> can i try it first? the debate in the us hasn't caught up to the larger international debate. [inaudible] >> i think it is. [laughter] >> i'm sorry. i take it all back. [laughter] discussion in the u.s. hasn't caught up to where the international discussion is. in part that's because of normal diplomatic stuff.

it's classified. they would be useful at the state department was a little bit more transparent. i think they are trying. but the issues you raise deal directly to how people are beginning to interpret the. it's consistent with the evidence we have. there has to be violence and damage, there has to be casualties or death. there are areas of ambiguity. everybody admits that. there's a general sense. this is an attack that would justify a military response. there's a desire to see it carried out in the provisions of the u.n. charter and the things that self-defense. most of what we see in cyberspace doesn't qualify as an attack. we call it an attack in the press. from the perspective of the international community, it's not an attack. therefore, a military response is unjustified.

so we have tremendous military capabilities but they're not going deter crime risk. they didn't deter crime espionage in the cold war. why are we surprised now? >> if i can pull the thread on that. regardless of the incoming threat. it's our ability cyber offensive effect it could be against a bombing. as part of a greater mix of military power that we might have, i try it put that to the wider context of all of the element of national power. that is part of that.

.. >> hi, thank you for a wonderful, wonderful pam, and, jim, as you know, on "ground hog day," bill murray becomes a better person and gets the girl. [laughter] there is a good ending. last night, too bad there's not more people, but melissa hataway gave a